CVE-2023-26474

moderate-risk
Published 2023-03-02

XWiki Platform is a generic wiki platform. Starting in version 13.10, it's possible to use the right of an existing document content author to execute a text area property. This has been patched in XWiki 14.10, 14.4.7, and 13.10.11. There are no known workarounds.

Do I need to act?

~
2.1% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 08e0887f0362b21614e6bfcb5be7e1f568659c41, 962ee4ac0352ab1a89cc779c29e81b0674d0203e, c524887d154ff8f6df9651e36b904e234bf5a6ef
9
CVSS 9.9/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Xwiki

References (4)

Exploit https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-3738-p9x3-mv9r
Exploit https://jira.xwiki.org/browse/XWIKI-20373
Exploit https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-3738-p9x3-mv9r
Exploit https://jira.xwiki.org/browse/XWIKI-20373
43
/ 100
moderate-risk
Severity 33/34 · Critical
Exploitability 5/34 · Minimal
Exposure 5/34 · Minimal